September 6th, 2013
The official deadline for HIPAA covered entities to reach compliance with the provisions of the Omnibus Rule is officially set as September 23, 2013. This date is right around the corner and as a result, providers are concerned about meeting this deadline. The definition for a business associate has been greatly expanded and refined. Consequently, the need for new Business Associate Agreements (BAAs) should be undertaken by all covered entities and business associates.
Fortunately, there is a helpful provision in regards to implementing the updates to the Business Associate Agreements of which many providers are unaware - you have up to one year (if you meet the requirements)!
Here are the details straight from the Omnibus Rule (with emphasis added):
"The final rule adopts the proposal, adding new transition provisions to allow covered entities and business associates (and business associates and business associate subcontractors) to continue to operate under certain existing contracts for up to one year beyond the compliance date of the revisions to the Rules.
We decline to provide a longer time for compliance with the business associate agreement provisions. We provided a similar transition period for revising agreements in the 2002 modifications to the HIPAA Rules, and it was our experience that such time was sufficient to ease burden on the entities and allow most agreements to be modified at the time they would otherwise come up for renewal or renegotiation.
With respect to those business associate agreements that already have been renegotiated in good faith to meet the applicable provisions in the HITECH Act, covered entities should review such agreements to determine whether they meet the final rule’s provisions. If they do not, these covered entities then have the transition period to make whatever additional changes are necessary to conform to the final rule.
The transition period is also available to those agreements that require compliance with all applicable laws (to the extent the agreements were otherwise in compliance with the HIPAA Rules prior to this final rule), but that do not fully meet the new requirements in this final rule.
However, we do not deem such contracts as compliant beyond the transition period because they would not sufficiently reflect the new requirements." - page 152
Another item that needs special attention is the case of automatically renewing contracts. The ruling made the following comment regarding these types of contracts:
"In cases where a contract renews automatically without any change in terms or other action by the parties (also known as “evergreen contracts”), the Department intended that such evergreen contracts would be eligible for the extension and that deemed compliance would not terminate when these contracts automatically rolled over. These transition provisions would have applied to covered entities and business associates only with respect to written contracts or other written arrangements as specified above, and not to oral contracts or other arrangements." - Page 151
In summary, Business Associate Agreements, or written contracts or other written arrangements in regards to subcontractors, that satisfy the HITECH requirements which were in effect before January 25, 2013 have until September 22, 2014 (or the date it is renewed or modified) to reach compliance if:
- The current contract or BAA meets HITECH requirements AND
- The current contract or other arrangement has not been renewed or modified between March 26, 2013 and September 23, 2013
An important note, and one that was discussed specifically in the ruling is that if a covered entity has entered into new contracts during the time that they should have been in compliance with the new ruling (that March 26-September 23, 2013 time frame), then those agreements DO NOT QUALIFY for the extended transition timeline.
For entities that have HITECH appropriate contracts/agreements, this announcement should NOT be viewed as an excuse to wait another year. Quite the opposite. This is a small reprieve to get your house in order. Fortunately, there is not a rush to renew or modify your agreements immediately. Take the time to do them carefully and appropriately.
For those that like to read the official ruling, in all its legaleze, here it is:
§ 164.532 Transition provisions.
(e) Implementation specification: Deemed compliance.
(1) Qualification. Notwithstanding other sections of this part, a covered entity, or business associate with respect to a subcontractor, is deemed to be in compliance with the documentation and contract requirements of §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if:
(i) Prior to January 25, 2013, such covered entity, or business associate with respect to a subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of §§ 164.314(a) or 164.504(e) that were in effect on such date; and
(ii) The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013.
(2) Limited deemed compliance period. A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section shall be deemed compliant until the earlier of:
(i) The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or
(ii) September 22, 2014.